Legal Report: SEC Reached Preliminary Settlement Agreement with SolarWinds and CISO
Security Management’s Legal Report is a monthly column that highlights the instances where legal matters intersect with the security industry. Our team tracks court cases, new and developing legislation, and regulatory decisions or investigations that affect private organizations and security professionals worldwide.
To share a tip or notify Security Management about emerging legal issues, email Associate Editor Sara Mosqueda at [email protected].
Judicial Decisions
United States
Cybersecurity. The U.S. Securities and Exchange Commission (SEC) reached a settlement agreement in principle with SolarWinds Corp and its chief information security officer (CISO) which would end litigation concerning a massive cyberattack.
The SEC sued the company in October 2023, claiming that SolarWinds had misled investors about the risks in its information technology systems that left it vulnerable to cyberattacks, including the 2020 SUNBURST breach. In that incident, Russia-linked hackers maliciously infiltrated the company’s systems and used the access to penetrate clients’ networks.
In early July 2025, the SEC, SolarWinds, and CISO Timothy Brown asked a federal judge to stay further court proceedings while the parties finalize and approve a settlement. Judge Paul Engelmayer dismissed most of the original SEC lawsuit in July 2024, explaining that the claims were based on “hindsight and speculation.”
The parties will file settlement paperwork or provide a status update by 12 September, according to a letter sent to Engelmayer. (SEC v. SolarWinds Corp., et al., U.S. District Court for the Southern District of New York, No. 23-cv-09518-PAE, 2025)
Utilities. Cameron John Wagenius, a 21-year-old former U.S. Army soldier, pled guilty to a series of cyberattacks and attempted extortion on telecommunications companies.
Wagenius faces a maximum prison sentence of 27 years for conspiring to commit wire fraud, extortion related to computer fraud, and aggravated identity theft. Between 2023 and 2024, Wagenius used online accounts and “conspired with others to defraud at least 10 victim organizations,” according to the U.S. Department of Justice (DOJ). The conspirators used a hacking tool and other methods to access login credentials to protected computer networks at the organizations. The DOJ added that at least some of the activity occurred while Wagenius was on active duty. After the data was stolen from the organizations, the conspirators tried to extort them for at least $1 million, threatening to publish or sell the data to other cybercriminals.
A sentencing hearing for Wagenius has been scheduled for 6 October 2025. (United States v. Cameron John Wagenius, U.S. District Court for the Western District of Washington, No. 25-cr-00142-LK, 2025)
U.S. States
Civil rights. A federal judge in Kentucky sentenced a former police officer to almost three years in prison for his actions during the botched drug raid that killed Breonna Taylor.
In 2024, a jury convicted Brett Hankison of violating Taylor’s civil rights with the use of excessive force when he fired several times through Taylor’s window during a drug raid. Taylor was killed during the raid, although not by Hankison.
Prior to sentencing, the prosecutor in the case, Assistant Attorney General Harmeet Dhillon, asked the judge to only sentence Hankison to one day in prison and three years of supervised release. The charges against Hankison carried a maximum sentence of life in prison but instead Judge Rebecca Jennings issued a 33-month sentence. (United States v. Brett Hankison, U.S. District Court for the Western District of Kentucky, No. 22-cr-00084, 2025)
College murders. A district judge for Idaho sentenced Bryan Christopher Kohberger to multiple life sentences with no chance of parole. As part of a deal to avoid the death penalty, Kohberger previously pled guilty to the 2022 murder of four University of Idaho students.
Judge Steven Hippler ordered that the four life sentences run consecutively, followed by a 10-year sentence for felony burglary. The plea deal does not allow Kohberger to appeal the ruling or submit a request for leniency.
Kohberger has not revealed a motive for the murders of the students who lived in off-campus housing, and authorities have still not found a connection between Kohberger and the students. Authorities linked Kohberger to the murder of Kaylee Gonclaves, 21, Madison Mogen, 21, Xana Kernodle, 20, and Kernodle’s boyfriend Ethan Chapin, 20, using DNA samples, cell phone records, and other evidence. Two other roommates lived in the house but survived the attack. (Idaho v. Bryan C. Kohberger, District Court of the Fourth Judicial District of Idaho, No. CR01-24-31665, 2025)
Legislation
European Union
Space risk management. The European Union proposed a set of rules that would make the European space industry cleaner, safer, and more competitive.
The draft legislation focuses on safety, resilience, and sustainability. Regarding safety, the law would introduce measures to better track objects in orbit and prevent the production of new space debris. This includes provisions for the disposal of satellites once they are at the end of their lives.
If approved, the Space Act would also require satellite operators to perform risk assessments on active satellites throughout their lifecycle. Operators—both EU and non-EU operators that provide space services in Europe—must submit detailed incident reports and adopt updated cybersecurity standards.
“A targeted support package will help businesses and member states transition smoothly,” the EU said, noting a desire to make EU companies more competitive in this sector. “Special attention is given to reducing administrative burdens and facilitating compliance, especially for start-ups, SMEs, and small mid-caps.”
U.S. States
Deepfakes. Pennsylvania Governor Josh Shapiro enacted a new law that criminalizes instances where artificial intelligence (AI) is used without a person’s consent to create an image or video impersonating the person.
The law, SB 649, defined such deepfake images as digital forgeries and established their production as a misdemeanor or felony violation, depending on the intent behind the deepfake’s creation. Anyone creating a deepfake with the intent of defrauding a victim faces a third-degree felony charge.
In the United States, at least 38 different measures attempting to regulate AI deepfakes have been introduced by legislators in 18 states.
Layoffs. Ohio Governor Mike DeWine enacted HB 96, which introduced a Worker Adjustment and Retraining Notification (WARN) statute that requires employers in the state to provide notice of certain plant closings and mass layoffs.
Employers must provide 60 days advance written notice before closing a plant or conducting a mass layoff. While most of the law’s language mirrors the federal WARN, the state’s statute goes beyond the federal act by mandating that additional required notice must be given to the chief elected officer in the county where the closure or mass layoff will occur.
The new law will take effect on 29 September.
United States
Artificial intelligence. U.S. senators Josh Hawley and Richard Blumenthal introduced a bill that would allow people to sue technology companies for scraping their data and using it to train AI models.
Senate bill 2367 (also known as the Artificial Intelligence Accountability and Personal Data Protection Act) would prevent AI companies from training their products on copyrighted works and allow individuals to sue if their personal data or copyrighted materials had been used without consent. In cases when consent is given, companies must identify which third parties will have access to the data.
Regulations
U.S. States
Utilities. New York state announced that water and wastewater utilities will be subject to a stricter set of cybersecurity standards.
The new regulations would require water and wastewater providers in the state with more than 3,300 customers to obey new cybersecurity measures. These include performing an annual cybersecurity vulnerability analysis, creating and implementing formal cybersecurity programs and incident response plans, training staff on cybersecurity hygiene, and adhering to new incident reporting requirements.
For larger utilities—ones with more than 50,000 customers—there will be an additional requirement of designating an employee responsible for managing a cybersecurity program, as well as monitoring and recording network activity.
The regulations were developed by members of the state’s environmental conservation, health, and public service departments.
Utility providers will also have access to a newly created $2.5 million grant program to assist with the costs of the new regulations.
Also of Interest
Security Management follows court cases, bills, laws, and regulatory issues that impact the security industry. Here are some of the developing stories that are of current interest.
Deepfakes. The Danish government is proposing to expand its copyright law to grant people protection against deepfake images. If passed, the amendment would allow individuals to demand that social media platforms take down any forged digital images or videos.
Fraud. Authorities charged Christine Hunsicker—the entrepreneur behind now-bankrupt clothing technology startup CaaStle—with defrauding investors of more than $300 million. Hunsicker, who promoted the idea as a clothing-as-a-service business that would allow clothing brands to rent items to consumers, was charged with wire fraud, securities fraud, money laundering, making false statements to a bank, and identity theft. CaaStle filed for Chapter 7 bankruptcy liquidation on 20 June. (United States v. Hunsicker, U.S. District Court for the Southern District of New York, No. 25-cr-00318, 2025)
Political assassination. Vance Boelter—the man accused of killing a Minnesota state lawmaker and her husband, along with the shooting of another state senator and his wife—confessed to the shootings in a letter addressed to FBI Director Kash Patel. Boelter, who claimed to be acting on “secret orders” from Governor Tim Walz, is in custody and his attorney said he will enter a plea of not guilty. His arraignment was scheduled for 7 August.
Ransom. The United Kingdom announced plans to ban public sector organizations and critical infrastructure from paying ransoms to cybercriminals, in an effort to discourage ransomware attacks.
Ukraine. The European Court of Human Rights ruled that Russia was responsible for the 2014 passenger jet crash and broader human rights violations against Ukraine.
Working conditions. The U.S. Department of Labor plans to rewrite or repeal more than 60 workplace regulations that would impact working conditions at constructions sites and mines, as well as curb the government’s power to fine or punish employers if their employees are injured or killed because of risky on-the-job activities.
